tlsMinVersion for the prometheus operator is set to TLS 1.3
The tlsMinVersion is set to TLS 1.3. This causing webhooks to fail when deploying the ArgoCD chart. Passing in tlsMinVersion: VersionTLS12
fixes the issue. TLS 1.2 is still supported by FIPS until Jan 2024, so this seems to be an issue with the chart versus the Kubernetes cluster.
Log message from the monitoring-monitoring-kube-operator pod:
ts=2022-03-08T14:43:01.956674418Z caller=stdlib.go:105 caller=server.go:3158 msg="http: TLS handshake error from 127.0.0.6:50714: tls: client offered only unsupported versions: [303]"
This also causes errors when reconciling the monitoring namespace:
Internal error occurred: failed calling webhook "prometheusrulemutate.monitoring.coreos.com": Post "https://monitoring-monitoring-kube-operator.monitoring.svc:443/admission-prometheusrules/validate?timeout=10s": remote error: tls: protocol version not supported && cannot patch "monitoring-monitoring-kube-prometheus" with kind PrometheusRule: Internal error occurred: failed calling webhook "prometheusrulemutate.monitoring.coreos.com": Post "https://monitoring-monitoring-kube-operator.monitoring.svc:443/admission-prometheusrules/validate?timeout=10s": remote error: tls: protocol version not supported
prometheusOperator:
enabled: true
## Prometheus-Operator v0.39.0 and later support TLS natively.
##
tls:
enabled: true
# Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants
tlsMinVersion: VersionTLS13
# The default webhook port is 10250 in order to work out-of-the-box in GKE private clusters and avoid adding firewall rules.
internalPort: 10250